Скрипты для автоматизации серверов
Коллекция полезных скриптов для автоматизации настройки, обслуживания и мониторинга серверов.
Скрипт первоначальной настройки сервера
server-setup.sh
#!/bin/bash
# Цвета для вывода
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m' # No Color
# Функция логирования
log() {
echo -e "${GREEN}[$(date +'%Y-%m-%d %H:%M:%S')] $1${NC}"
}
warn() {
echo -e "${YELLOW}[WARNING] $1${NC}"
}
error() {
echo -e "${RED}[ERROR] $1${NC}"
exit 1
}
# Проверка root прав
if [[ $EUID -ne 0 ]]; then
error "Этот скрипт должен быть запущен с правами root"
fi
log "Начинаем настройку сервера..."
# Обновление системы
log "Обновление системы..."
apt update && apt upgrade -y
# Установка базовых пакетов
log "Установка базовых пакетов..."
apt install -y \
curl \
wget \
git \
vim \
htop \
tree \
unzip \
software-properties-common \
apt-transport-https \
ca-certificates \
gnupg \
lsb-release \
ufw \
fail2ban \
logrotate \
cron
# Настройка пользователя
read -p "Введите имя нового пользователя: " USERNAME
if [[ -n "$USERNAME" ]]; then
log "Создание пользователя $USERNAME..."
useradd -m -s /bin/bash $USERNAME
usermod -aG sudo $USERNAME
# Настройка SSH ключей
read -p "Введите публичный SSH ключ для $USERNAME: " SSH_KEY
if [[ -n "$SSH_KEY" ]]; then
sudo -u $USERNAME mkdir -p /home/$USERNAME/.ssh
echo "$SSH_KEY" | sudo -u $USERNAME tee /home/$USERNAME/.ssh/authorized_keys
sudo -u $USERNAME chmod 700 /home/$USERNAME/.ssh
sudo -u $USERNAME chmod 600 /home/$USERNAME/.ssh/authorized_keys
log "SSH ключ добавлен для пользователя $USERNAME"
fi
fi
# Настройка SSH
log "Настройка SSH..."
SSH_CONFIG="/etc/ssh/sshd_config"
cp $SSH_CONFIG $SSH_CONFIG.backup
# Безопасные настройки SSH
cat > $SSH_CONFIG << EOF
Port 22
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
UsePrivilegeSeparation yes
KeyRegenerationInterval 3600
ServerKeyBits 1024
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 120
PermitRootLogin no
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
PasswordAuthentication no
X11Forwarding no
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
MaxAuthTries 3
MaxSessions 2
ClientAliveInterval 300
ClientAliveCountMax 2
UseDNS no
AllowUsers $USERNAME
EOF
# Перезапуск SSH
systemctl restart sshd
log "SSH настроен и перезапущен"
# Настройка файрвола
log "Настройка UFW..."
ufw --force reset
ufw default deny incoming
ufw default allow outgoing
ufw allow ssh
ufw allow 80/tcp
ufw allow 443/tcp
ufw --force enable
log "UFW настроен и активирован"
# Настройка Fail2Ban
log "Настройка Fail2Ban..."
cat > /etc/fail2ban/jail.local << EOF
[DEFAULT]
bantime = 3600
findtime = 600
maxretry = 5
backend = systemd
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 3600
[nginx-http-auth]
enabled = true
filter = nginx-http-auth
logpath = /var/log/nginx/error.log
maxretry = 3
bantime = 3600
[nginx-req-limit]
enabled = true
filter = nginx-req-limit
logpath = /var/log/nginx/error.log
maxretry = 10
bantime = 3600
EOF
systemctl enable fail2ban
systemctl restart fail2ban
log "Fail2Ban настроен и запущен"
# Настройка автоматических обновлений
log "Настройка автоматических обновлений безопасности..."
apt install -y unattended-upgrades
cat > /etc/apt/apt.conf.d/50unattended-upgrades << EOF
Unattended-Upgrade::Allowed-Origins {
"\${distro_id}:\${distro_codename}-security";
"\${distro_id}ESMApps:\${distro_codename}-apps-security";
"\${distro_id}ESM:\${distro_codename}-infra-security";
};
Unattended-Upgrade::AutoFixInterruptedDpkg "true";
Unattended-Upgrade::Remove-Unused-Dependencies "true";
Unattended-Upgrade::Automatic-Reboot "false";
EOF
cat > /etc/apt/apt.conf.d/20auto-upgrades << EOF
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";
EOF
# Настройка MOTD
log "Настройка MOTD..."
cat > /etc/motd << EOF
██████╗ ███████╗██╗ ██╗ ██████╗ ██████╗ ███████╗
██╔══██╗██╔════╝██║ ██║██╔═══██╗██╔══██╗██╔════╝
██║ ██║█████╗ ██║ ██║██║ ██║██████╔╝███████╗
██║ ██║██╔══╝ ╚██╗ ██╔╝██║ ██║██╔═══╝ ╚════██║
██████╔╝███████╗ ╚████╔╝ ╚██████╔╝██║ ███████║
╚═════╝ ╚══════╝ ╚═══╝ ╚═════╝ ╚═╝ ╚══════╝
$(lsb_release -d | cut -f2)
Kernel: $(uname -r)
Uptime: $(uptime -p)
EOF
# Настройка swapfile
log "Настройка swap файла..."
if [[ ! -f /swapfile ]]; then
fallocate -l 2G /swapfile
chmod 600 /swapfile
mkswap /swapfile
swapon /swapfile
echo '/swapfile none swap sw 0 0' >> /etc/fstab
log "Swap файл создан и активирован"
fi
# Оптимизация sysctl
log "Оптимизация системных параметров..."
cat >> /etc/sysctl.conf << EOF
# Оптимизация сети
net.core.rmem_default = 31457280
net.core.rmem_max = 67108864
net.core.wmem_default = 31457280
net.core.wmem_max = 67108864
net.ipv4.tcp_rmem = 4096 87380 67108864
net.ipv4.tcp_wmem = 4096 65536 67108864
net.ipv4.tcp_congestion_control = bbr
# Безопасность
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
kernel.dmesg_restrict = 1
EOF
sysctl -p
# Создание скрипта обновления
log "Создание скрипта обновления системы..."
cat > /usr/local/bin/update-system << 'EOF'
#!/bin/bash
echo "Обновление системы..."
apt update
apt upgrade -y
apt autoremove -y
apt autoclean
echo "Обновление snap пакетов..."
snap refresh
echo "Проверка состояния служб..."
systemctl --failed
echo "Использование диска:"
df -h
echo "Использование памяти:"
free -h
echo "Система обновлена!"
EOF
chmod +x /usr/local/bin/update-system
# Создание скрипта мониторинга
cat > /usr/local/bin/server-status << 'EOF'
#!/bin/bash
echo "=== СОСТОЯНИЕ СЕРВЕРА ==="
echo "Время: $(date)"
echo "Uptime: $(uptime -p)"
echo
echo "=== ИСПОЛЬЗОВАНИЕ РЕСУРСОВ ==="
echo "CPU:"
top -bn1 | grep "Cpu(s)" | awk '{print $2 + $4"%"}'
echo
echo "Память:"
free -h
echo
echo "Диск:"
df -h | grep -E '^/dev/'
echo
echo "=== СЕТЕВЫЕ СОЕДИНЕНИЯ ==="
ss -tuln | grep LISTEN
echo
echo "=== ПОСЛЕДНИЕ ЛОГИ ==="
journalctl --since "1 hour ago" --no-pager -n 10
echo
echo "=== FAIL2BAN СТАТУС ==="
fail2ban-client status
echo
echo "=== ПРОЦЕССЫ С ВЫСОКИМ ИСПОЛЬЗОВАНИЕМ CPU ==="
ps aux --sort=-%cpu | head -n 6
EOF
chmod +x /usr/local/bin/server-status
log "Настройка завершена!"
log "Рекомендации:"
log "1. Перезагрузите сервер для применения всех изменений"
log "2. Убедитесь, что SSH работает с новыми настройками"
log "3. Используйте 'update-system' для обновления системы"
log "4. Используйте 'server-status' для мониторинга"
warn "НЕ ЗАБУДЬТЕ: Измените стандартный SSH порт и настройте резервное копирование!"
Скрипт для мониторинга ресурсов
resource-monitor.sh
#!/bin/bash
THRESHOLD_CPU=80
THRESHOLD_MEMORY=85
THRESHOLD_DISK=90
LOG_FILE="/var/log/resource-monitor.log"
EMAIL="admin@example.com"
log_message() {
echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1" | tee -a $LOG_FILE
}
send_alert() {
local subject="$1"
local message="$2"
echo "$message" | mail -s "$subject" $EMAIL
log_message "ALERT: $subject"
}
check_cpu() {
local cpu_usage=$(top -bn1 | grep "Cpu(s)" | awk '{print $2 + $4}' | cut -d'%' -f1)
cpu_usage=${cpu_usage%.*}
if [[ $cpu_usage -gt $THRESHOLD_CPU ]]; then
send_alert "High CPU Usage: ${cpu_usage}%" "CPU usage is at ${cpu_usage}% on $(hostname)"
fi
log_message "CPU Usage: ${cpu_usage}%"
}
check_memory() {
local memory_usage=$(free | grep Mem | awk '{printf "%.0f", $3/$2 * 100.0}')
if [[ $memory_usage -gt $THRESHOLD_MEMORY ]]; then
send_alert "High Memory Usage: ${memory_usage}%" "Memory usage is at ${memory_usage}% on $(hostname)"
fi
log_message "Memory Usage: ${memory_usage}%"
}
check_disk() {
df -h | awk '$5 ~ /%/ {print $5 " " $6}' | while read output; do
usage=$(echo $output | awk '{print $1}' | sed 's/%//')
partition=$(echo $output | awk '{print $2}')
if [[ $usage -gt $THRESHOLD_DISK ]]; then
send_alert "High Disk Usage: ${usage}%" "Disk usage is at ${usage}% for partition ${partition} on $(hostname)"
fi
log_message "Disk Usage: ${usage}% (${partition})"
done
}
check_services() {
local services=("nginx" "mysql" "redis" "docker")
for service in "${services[@]}"; do
if systemctl is-active --quiet $service; then
log_message "Service $service: Running"
else
if systemctl is-enabled --quiet $service; then
send_alert "Service Down: $service" "Service $service is not running on $(hostname)"
log_message "Service $service: DOWN"
fi
fi
done
}
main() {
log_message "Starting resource monitoring"
check_cpu
check_memory
check_disk
check_services
log_message "Resource monitoring completed"
}
main
Скрипт автоматического резервного копирования
backup.sh
#!/bin/bash
BACKUP_DIR="/backup"
DATE=$(date +%Y%m%d_%H%M%S)
RETENTION_DAYS=30
LOG_FILE="/var/log/backup.log"
DATABASES=("myapp_db" "analytics_db")
DIRECTORIES=("/var/www" "/etc/nginx" "/etc/ssl")
log() {
echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1" | tee -a $LOG_FILE
}
create_backup_dir() {
mkdir -p $BACKUP_DIR/$DATE
log "Created backup directory: $BACKUP_DIR/$DATE"
}
backup_databases() {
log "Starting database backup..."
for db in "${DATABASES[@]}"; do
log "Backing up database: $db"
mysqldump --single-transaction --routines --triggers $db | gzip > $BACKUP_DIR/$DATE/${db}_$DATE.sql.gz
if [[ $? -eq 0 ]]; then
log "Database $db backed up successfully"
else
log "ERROR: Failed to backup database $db"
fi
done
}
backup_files() {
log "Starting file backup..."
for dir in "${DIRECTORIES[@]}"; do
if [[ -d $dir ]]; then
dir_name=$(basename $dir)
log "Backing up directory: $dir"
tar -czf $BACKUP_DIR/$DATE/${dir_name}_$DATE.tar.gz -C $(dirname $dir) $(basename $dir)
if [[ $? -eq 0 ]]; then
log "Directory $dir backed up successfully"
else
log "ERROR: Failed to backup directory $dir"
fi
else
log "WARNING: Directory $dir does not exist"
fi
done
}
backup_system_info() {
log "Backing up system information..."
dpkg --get-selections > $BACKUP_DIR/$DATE/installed_packages_$DATE.txt
systemctl list-unit-files --state=enabled > $BACKUP_DIR/$DATE/enabled_services_$DATE.txt
crontab -l > $BACKUP_DIR/$DATE/crontab_$DATE.txt 2>/dev/null || echo "No crontab found"
log "System information backed up"
}
cleanup_old_backups() {
log "Cleaning up old backups..."
find $BACKUP_DIR -type d -name "*_*" -mtime +$RETENTION_DAYS -exec rm -rf {} \; 2>/dev/null
log "Old backups cleaned up (older than $RETENTION_DAYS days)"
}
create_backup_summary() {
local summary_file="$BACKUP_DIR/$DATE/backup_summary_$DATE.txt"
cat > $summary_file << EOF
Backup Summary
Date: $(date)
Server: $(hostname)
Backup Location: $BACKUP_DIR/$DATE
Files Backed Up:
$(ls -la $BACKUP_DIR/$DATE/)
Disk Usage:
$(du -sh $BACKUP_DIR/$DATE)
Total Backup Size: $(du -sh $BACKUP_DIR | cut -f1)
EOF
log "Backup summary created: $summary_file"
}
main() {
log "Starting backup process..."
create_backup_dir
backup_databases
backup_files
backup_system_info
create_backup_summary
cleanup_old_backups
log "Backup process completed successfully"
# Отправка уведомления
echo "Backup completed successfully on $(hostname) at $(date)" | mail -s "Backup Completed" admin@example.com
}
main
Установка и настройка скриптов
Создание директорий и установка
sudo mkdir -p /opt/scripts
sudo mkdir -p /var/log/scripts
sudo cp server-setup.sh /opt/scripts/
sudo cp resource-monitor.sh /opt/scripts/
sudo cp backup.sh /opt/scripts/
sudo chmod +x /opt/scripts/*.sh
sudo ln -s /opt/scripts/resource-monitor.sh /usr/local/bin/resource-monitor
sudo ln -s /opt/scripts/backup.sh /usr/local/bin/backup-system
Настройка cron задач
sudo crontab -e
0 2 * * * /opt/scripts/backup.sh
*/15 * * * * /opt/scripts/resource-monitor.sh
0 6 * * 0 /usr/local/bin/update-system
Настройка logrotate
sudo nano /etc/logrotate.d/custom-scripts
Содержимое:
/var/log/resource-monitor.log {
daily
missingok
rotate 30
compress
notifempty
create 644 root root
}
/var/log/backup.log {
daily
missingok
rotate 90
compress
notifempty
create 644 root root
}
Автоматизация
Настройте эти скрипты для запуска по расписанию через cron для полной автоматизации обслуживания сервера.
Безопасность
Обязательно настройте правильные права доступа к скриптам и логам, особенно если они содержат чувствительную информацию.